Wednesday, April 13, 2016

Naming/Shaming Iran Was a Huge Mistake

By Dave Aitel, CEO of Immunity Inc.

The Department of Justice made a big mistake. By naming the seven Iranian hackers it claims were responsible for penetrating a New York dam in 2013 and disrupting US banking websites, it has exposed major inconsistencies in US policy which could have far reaching impacts on US cyber policy and future operations.

First of all, it’s worth pointing out that the US government admonished a foreign government for doing something which it itself is famous for - probing critical infrastructure systems. After all, the Stuxnet project, which targeted Iran’s nuclear facilities in 2010 (and is widely believed to have been a joint US/Israeli operation), is likely what propelled Iran into offensive cyber operations in the first place.

Some will see the DOJ’s announcement as a consistent follow-through in US government policy. After all, we named both China and North Korea in previous attacks and we levied sanctions on private Chinese companies as well. Why shouldn’t Iran get the same treatment?

Here are the problems, as I and others in the security community see them:

What are the ‘red lines’ the US government is trying to draw here?

The US was well within its rights last year when it finally confronted China over its aggressive economic cyber-espionage against American companies and industries. Intellectual property theft is not a legitimate activity of nation-states. The threat of targeted sanctions on Chinese citizens and private Chinese companies for data theft was justified and long overdue and changed Chinese policy at the top level.

But the situation with Iran is different. Just as the foreign intelligence service behind the Office of Personnel Management (OPM) breach was operating within customary espionage norms, so too are the Iranians operating within these boundaries when probing US systems without producing a “kinetic” effect (such as triggering a physical malfunction, damage or outage). And while there are no set norms when it comes to distributed denial-of-service (DDoS) attacks, as the Iranians used against the US financial sector in 2012 and 2013, this mode of attack cannot legitimately be claimed as posing a serious threat to our critical infrastructure. DDoS is inconvenient, but it’s hardly damaging. The Iranians use of DDoS likely had more to do with sending a message to Washington about its use of economic sanctions than anything else.

Why was this a DOJ decision? Why wasn’t the State Department involved?

Normally, when we want to change a nation-state’s behavior, we use customary nation-state to nation-state channels. We don’t sue individuals who are working for that country.

Foreign diplomacy is the State department’s job, not the job of the FBI or a local police department. Something is very wrong with how the US government is coordinating on this issue. The US could, at any time, and probably did, reach out to the Iranian government and ask them to stop the DDoS attacks against the banks allegedly conducted by these seven individuals. But if they were conducting Iranian state operations, then holding them personally responsible is a huge change in policy. If they were not, then why mention the Iranian Revolutionary Guard Corps (IRGC) in the indictment at all?

From an operational security perspective, this announcement was extremely harmful, now and in the future.

By releasing this indictment, the government accomplished two things, both of which are bad from an intelligence standpoint.

First, it showed the world what the US government knows about the Iranian effort.

That means we’ve potentially exposed the sources and methods used by the government to make this determination. It’s generally not a good idea to blow operational security unless you’re truly getting something better in return. In fact, it’s standard practice for the US government to undergo an “equities process” to evaluate these types of risks before proceeding with a public disclosure. But what did the US government actually get out of this announcement? Does anyone seriously think those Iranians will face jail time here in the States? We still have Americans in Iranian cells - do we want them kept there as trading cards for later?

Secondly, this announcement revealed what the US does not know about other, similar efforts like last year’s DDoS attack on Github. After all, if the US is willing to indict the Iranians for DDoSing the banking system, why didn’t they indict the Chinese team behind the Github attack? Is it because we don’t know who was behind that attack? Or are the rules different for the Chinese and the Iranians?

By saying we’re going to indict foreign citizens when we know who is behind a specific cyber attack, we are demonstrating to the world the precise boundaries of our knowledge. This is not a wise plan.

This announcement puts US cyber operatives in the cross-hairs.

The DOJ just put a target on the backs of all US intelligence community employees and contractors who are involved in offensive cyber operations around the world.

These indictments create a sort of international precedent that other countries could one day use to justify actions against private citizens in the US and its allies. By blurring the established cyber norms, the US Department of Justice is creating a complex and messy situation for itself and others in future cyber operations. Could Russia use a similar action against British or German cyber teams? Do we want Hezbollah interdicting American computer scientists when they travel in the region?

What the Department of Justice has done is dangerous and contravenes all standing nation-state policy on the issue, all for a few headlines and feel-good photo-ops. I, along with many others in the information security field, hope they can find a way to reconsider.